Hooked on Compliance

Join Jesse as he explores the wonderful world of compliance requirements and talks about why you don’t necessarily need to know the intricate details of every law and framework, some of the best security training and certifications you can get, the NIST cybersecurity framework, why password managers are great as long as you do two things, five objectives for establishing an API-first security strategy, why you need to have your critical services and all of your data in multiple availability zones and spread across multiple regions if possible, why you should always assign permissions to AWS IAM user groups, and more.

Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you’re about to listen to.


Show Notes:

Links:

Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.


Announcer: If your mean time to WTF for a security alert is more than a minute, it’s time to look at Lacework. Lacework will help you get your security act together for everything from compliance service configurations to container app relationships, all without the need for PhDs in AWS to write the rules. If you’re building a secure business on AWS with compliance requirements, you don’t really have time to choose between antivirus or firewall companies to help you secure your stack. That’s why Lacework is built from the ground up for the cloud: Low effort, high visibility, and detection. To learn more, visit lacework.com.


Jesse: Compliance requirements are everywhere. I’ve been on both sides of the table for dozens of audits, and I’ve even worked on commercial building fire code compliance for data centers and even a school. Whatever your industry, there are compliance requirements lurking somewhere in your buildings, your data center, and your clouds. You should know what legal compliance mandates you must meet as well as industry standards or certifications you should meet. You don’t have to learn all the intricate details of any of these compliance laws or frameworks, however, you should at least know what the requirements you have and what frameworks you should use.


You need to understand more than what your organization does at a high level. You also should know what general activities your organization performs, such as selling things, providing services to a public, or quasi-public entity, or government agencies, or schools, or managing investments or banking. Then go find out your compliance needs. An article called Information Security Compliance: Which regulations relate to me? By TCDI—which appears to be a consulting firm that I neither endorse nor know anything about at all—is a short primer on some common compliance programs that really should prove useful to you.


Meanwhile, in the news, SANS cloud security curriculum gaining altitude. Become a SANS cloud ace. SANS and GIAC have the best security training and certifications, and now they’ve expanded their cloud courses, including some more foundational options non-security people should find valuable. The training is detailed, challenging, and rewarding, and will teach you far more than most other programs including hands-on exercises that are key to learning tech.


Introduction to the NIST cybersecurity framework. I like the cybersecurity guidelines and frameworks NIST creates because they are useful and understandable tools for non-security and security people I like. I like this introductory primer to better understand structured security frameworks and to start learning how auditors think. Essentials to consider when choosing a cloud security posture management solution; whether your primary job is security or not, I always advocate for a centralized, simplified automation and standardization of security controls wherever possible. For multi-cloud environments, you can outsource to a cloud security posture management—or CSPM—provider, and this quick read has tips I like on some basics to consider for how to choose your solution.


SOC 2 attestation tips for SaaS companies. Everyone should understand the basics of service organization control type two, more commonly known as SOC 2, as it is fundamental to doing business in the cloud. SOC 2 is especially important for SaaS providers because it shows there are certain safeguards for data confidentiality, integrity, and availability, among other things.


Enterprises need to change passwords following ClickStudios’ Passwordstate attack. Tangentially related to cloud, password managers are great tools as long as they are secure, but if you use this one you need to know two things. First, you have to change all your passwords, and second, you need to search for indicators of compromise—or IOCs—for possible nasty things in your environment.


Five objectives for establishing an API-first security strategy. With cloud-native services APIs become an easy target, so you need to know how to design their use securely. I would use these tips in designing a SaaS offering, so you should too. Hackers are exploiting a Pulse Secure Zero-Day to breach orgs around the world. You need to trust your zero trust solution, and if you use Pulse Secure, you need to know what to do about this right now. If you don’t use Pulse Secure, you should still understand what happened so you can be prepared for when this happens to you.


Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn’t translate well to cloud or multi-cloud environments, and that’s not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That’s extrahop.com/trial.


Jesse: Man charged with planning to blow up Amazon Web Services data center in Virginia. You should always have your critical services and all of your data in multiple availability zones, and as much as possible spread across multiple regions. Someday, one of these nutters will succeed in disrupting AWS just enough to give you a bad day. Also, it’s easy to forget that most people don’t know how ‘the cloud’ and ‘the internet’ actually work. Heck, we barely know how these things work and we’re supposed to know this stuff.


SalusCare, a health services provider, sues AWS over security response. Sure, anyone can sue anyone for anything, but you need to be careful with your data and even more careful with your customers’ data. Does your service agreement and licensing protect and indemnify you from things like this? Even a nuisance lawsuit is costly, so be informed.


Risk, the misunderstood discipline. Security and finance people talk about risk constantly and some of us evaluate risk in our daily lives. Yep, I do every day at work and home. You need to understand some fundamentals of risk to know how to make decisions. What are the different roles within cybersecurity? Just like IT is balkanized and specialized, security is just as splintered and confusing. It helps to understand some basic differences in security roles, even if you don’t want those jobs for yourself.


Review last access information to identify unused ECT, IAM, and Lambda permissions and tighten access to your IAM roles. While the title is a mouthful, it is critical that you routinely and frequently audit your AWS environment to tighten permissions down to only what an account or service must access to do its job. Open permissions you think something needs, then use these methods to see what it doesn’t use, and close those down to the minimum required to function.


And now for the tip of the week. Always assign permissions to AWS IAM user groups. Never assign permissions to individual users. If a user needs a combination of permissions none of your user groups have in IAM, then create a new group with that combination of permissions, or use multiple existing groups to assign the user the exact set of permissions needed. This is critical for two reasons.


First, using groups scales for easier management for when you have more users needing the same permissions; you can quickly end up with lots of users floating about with one-off custom permissions that’s more complicated and time-consuming to track and audit. Second, when a project dies or morphs, you can delete or alter the related group permissions to change all the related users at once. In addition, this allows you to work more closely with project teams to roll out security with the new projects. And that’s a wrap for the week, folks securely yours, Jesse Trucks.


Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.


Announcer: This has been a HumblePod production. Stay humble.

Join the newsletter

Cloud Security For Humans

Got it. You're on the list!

Meanwhile in Security is a production of The Duckbill Group. Check out our other publications, Last Week in AWS, Screaming in the Cloud, and AWS Morning Brief.

© The Duckbill Group, 2021